May 17 2022 02:45 PM
May 17 2022 02:45 PM
A fews months ago, we enrolled a bunch of 2012R2 (and 2016) to MDE. At time we needed isolation for these servers as well but the functionality was not available. We solved it via a script that would query the tenant for events and then connect to Vmware Api to isolate the server.
However, a few months ago, Microsoft finally released the unified method of onboarding servers to MDE and we went through the process of migrating all our servers. However, I'm struggling to migrate specific 2012R2 servers, namely the ones that are Citrix workers.
I followed this https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-endpoints-vdi?vi... but didn't help.
So here is what I've got to test on my "master"
- Windows 2012 R2 fully patched.
- I install the unified client
- I copy the Onbording script, specially created for VDI (as per article)
- I want to have one entry per citrix worker.
- I configure local group policy to run the scripts at startup
Now, I reboot the master (I know, it will onboard the master) OR I have also launched the script manually (the one that is configured at startup: Onboard-NonPersistentMachine.ps1)
But... it doesn't onboard anything, I don't see anything in the tenant.
So I checked the event viewer.
- In the application events I do see a successful WDATPONboarding event
- In the sense event, I see a bunch of information events (that are triggered after the onboarding process finishes) but then I see periodic events (10s, 130s, 10s, 70s, etc) of an error:
Failed to communicate with authentication service, register request failed, result 0x800705B4, error code 0
- the sense service is running
- the diagnostic tracker is running
- when I run the MDE analyser I get 1 warning which doesn't seem to be related to the issue.
- Sometimes in the middle of the hundreds of errors in the SENSE event log, I see a warning that says:
Contacted server 7 times, failed 6 times and succeeded 1 times, URI: https://winatp-gw-weu.microsoft.com/ Last HTTP code: 0
Searching around on the Internet, the hex error I got seems to be usually related to network stuff... so
- I double checked our lines of firewall. Opened everything wide.
- I made sure the Update service was enabled and rechecked for updates. Nothing.
- From the server, I do have Internet access to all sites (Microsoft and non-Microsoft)
- I disabled local firewall
- I connect to the URL and it tells me that the CA is not trusted. I add the certificate (and all the chain for that matter to the _system_ CA trusted root store), Now I do not have an error anymore.
- If I append /test to the URL, I get a "Ok" string back. So the browser is able to connect to the site and I suppose the system can also.
- I install Wireshark but obviously I don't see anything. I only wanted to see if there were some SYN that didn't get a response.
- If I go to a server that was onboarded normally and which works, I see that it tries to connect to the same URL but it says: Contacter server X times, all succeeded.
- At one point, I thought the error is maybe normal and it will disappear for a Citrix worker and not for the master/template... so I pushed it... but everything is the same (onboard according to Event log, errors in SENSE error log, nothing in the MDE Portal.
Any ideas? I'm currently out of any.
May 20 2022 07:51 AM
Sep 14 2022 09:57 AM
Oct 14 2022 06:56 AM
Oct 17 2022 01:05 PM